Ensuring symmetric return path

Hello pals,

Please let me know how do I ensure symmetric return path for WAN to LAN traffic in a multi-WAN setup.

Ex. Traffic coming from WAN1 to LAN should use WAN1 itself for its return path and not WAN2

Maneesh Kumar

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @maneeshk

    This is usually done via NAT. The outbound traffic will be written with the NAT address for that interface, and the distant end will reply to that address.

    If the distant end is replying to a different IP or interface, you'll need to look at that side and determine why it's doing that before you can determine how to fix it.

    -James Carson
    WatchGuard Customer Support

  • For incoming traffic, the firewall keeps state tables and will automatically send reply packets out the incoming WAN interface

  • Hello @James_Carson

    Don't you think @Bruce_Briggs does have a point that for incoming traffic, the firewall keeps a state table and will automatically send reply packets out of through the incoming WAN interface. Unfortunately, the same is not happening in my case. For me, the LAN side interface is the IPsec Gateway interface. Is that something to do with the issue I'm facing?

    In case NAT would be required to be used, I'll lose all source Public IP addresses in access logs of hosted web servers.

    Maneesh Kumar

  • Please explain the traffic flow - from where to where.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @maneeshk

    Yes, Bruce is correct. However, the firewall can't do anything about what the distant end is replying with.

    Which end of the connection is the problem?
    What protocol are you using?
    Whom is inititating the connection?

    If you need assistance, you're going to need to describe your issue -- right now all we have is a vague statement and everyone is guessing at what your issue is.

    -James Carson
    WatchGuard Customer Support

  • Hello @Bruce_Briggs

    Traffic is destined from WAN1 to the IPsec VPN Gateway interface(Ex. eth0), but the response(i.e. SYN-ACK) for the same TCP session is going via the WAN2 interface.

    Maneesh Kumar

  • You should open a support incident on this to get help from a WG rep in understanding and resolving this.
    Should you find a resolution, please post it.

Sign In to comment.